Most of us have heard the phrase “security through obscurity”. Right?
This is the idea– surprisingly common, as it seems to make plenty of sense– that Macs (and other minority computer systems) are only secure and immune from the majority of viruses, trojans, and worms because they’re obscure. I guess obscurity would mean either (or both) that Macs don’t catch the attention of malware writers, or that Mac is simply too small a market to be worth their time.
I’d like to submit several responses to this:
1) To the claim, made by some, that “Macs are not targeted because there are too few Macs to create effective botnets and such”. This is true, and I’m sure it has some effect on the incentive (or lack thereof) to create malware. But it misses the fact that many malware writers are not organized criminal gangs from Eastern Europe– they’re just average people trying to prove a point or gain some notoriety. This is an important distinction, because while it may be true that Macs are not worth the time of large criminal organizations, it is also the case that given Apple’s reputation for security, the first widespread virus or worm for Mac would get huge news, which would be to be tempting for a huge number of malware authors.
2) While more “obscure” systems surely are less-targeted than Windows, there are in fact heaps of evidence that obscurity doesn’t necessarily mean security. For instance, Windows servers, which comprise around 30-40% of web servers worldwide, are the recipient of around 20% of server-specific attacks according to one study– whereas Apple has around 10% of U.S. market share among businesses and consumers, yet is vulnerable to less than 1/100th of 1% of malware (even if you count all Apple malware going back to the ’80s). If Windows and Apple really had similar security records, wouldn’t you expect Apple to be attacked at rates somewhat comparable to its market share, as Windows is in the server world?
There are many other examples too. Macs, for instance, used to get boot sector viruses decades ago, even though it had a similarly small market share. Why? Because Apple OS used to be less secure, not because it was more common. Here’s another great one: the first Windows Vista virus appeared “in the wild” while Vista was in beta testing, only available to 10,000 users (Apple currently has 20 million and virtually no viruses). Of course, one might object reasonably that Vista was attacked because it was destined to overtake Windows XP as the market leader. This may be true, but still, the fact remains that obscurity alone does not protect systems from attack– if it did, Vista would not have seen a virus for at least a few years. Or, as Daniel Eran Dilger powerfully wrote,
“Even platform targets that are tiny to the point of insignificant are attacked by malware. Specific versions of small minority of Symbian phones were attacked by a Bluetooth virus, not because those models made up 95% of the phone market, but because there was an open flaw in their software that left them vulnerable to attack.”
3) Related to the previous point, you’d expect Mac malware to follow the company’s market share increases of the past years. Apple has gone from about 1-2% (around 1995) to around 10% currently in U.S. market share. And in terms of consumer market share, Apple enjoys an even higher percentage. That’s a huge leap– and yet malware for Apple OS has stayed virtually flat, to the tune of one every few years or so. Every so often, we hear the doom and gloom of the “coming Mac malware epidemic”, yet it has not materialized. Of course, one can never predict the future, but if the past is any guide, Apple OS will only see increases in malware if its security goes downhill– not because of increasing market share.
4) Some security experts have claimed that Apple’s OS is “easy” to exploit. For instance, security expert Dino Dai Zovi, who presented at the 2009 SOURCE conference in Boston, claimed that Macs are “a lot of fun” to exploit, as compared to Windows Vista, which is “a lot of work”. Then there’s the news about the “Pwn to Own” competition, in which a Macbook has been the first to be hacked the last few years– although this is seriously mitigated by the fact that the hacker who exploited the Mac was unable to do so remotely, and was only successful when given more direct access to the machine (unlike what a malware writer would ever have, which makes his exploit useless “in the wild”). The bottom line, though, is this: “If what they’re saying is really true and Macs are actually easier than Windows to exploit, why is there virtually no malware for Macs?” One would think that if writing malware for Macs were really so easy, Mac malware would be equal or higher than the Mac user share of about 10%– especially considering that Mac users tend to be more affluent than average, and rarely run antivirus software.
5) Consider a seemingly insignificant, yet quite important, fact about the Apple malware that does exist. Specifically, there are several trojan horses (e.g. hiding inside pirated version of Photoshop) but not viruses or worms for Macs. At first this may seem insignificant, but it’s actually important: trojans require an explicit user invitation onto the machine (generally through masquerading as a legitimate program), and thus are far easier to write because unlike worms and viruses they neither have to self-install or self-replicate. Bottom line: any system can be compromised by a simple malicious program that a careless user installs– there’s pretty much no way to prevent that, no matter how secure the system. But so far, Apple OS X has proven formidable to attacks requiring more sophistication– like viruses and worms. If OS X were as insecure as Windows, there would be as many Mac viruses and worms as there are trojans. But there aren’t.
Then there’s this example, from a blog that, while touting the emergence of a new piece of Mac malware, points out that while Mac users have to be fooled into physically downloading and installing this fake program (it’s a trojan horse), all a Windows user has to do is visit the website, which automatically loads an executable file. Which begs the question: given that this malware writer took the time to write a trojan for both Mac and Windows, isn’t it significant that the Windows version will self-install, whereas the Mac version requires further user action? If Macs were no more secure than Windows– or if, as the aforementioned Mr. Zovi claimed, Macs were “easy to exploit”, wouldn’t this malware writer just have created a Mac version that auto-installed like the Windows version does? He could have caught waaaaay more Mac users that way.
I don’t want to be misunderstood: Apple computers are not perfect nor immune from malware. Yet both logic and statistics show that Macs are more secure because, well, they’re more secure– not because no “bad guys” know or care about them.
